{"id":13337991,"url":"https://gitlab.com/rouing/docker-ntpsec","last_synced_at":"2025-03-11T08:32:15.005Z","repository":{"id":61315843,"uuid":"19888023","full_name":"rouing/docker-ntpsec","owner":"rouing","description":"Docker container for ntpsec","archived":false,"fork":false,"pushed_at":null,"size":null,"stargazers_count":2,"open_issues_count":null,"forks_count":2,"subscribers_count":null,"default_branch":"master","last_synced_at":"2024-10-23T20:11:42.202Z","etag":null,"topics":["NTP","container","containers","docker","ntpsec","nts","time","timeserver","tls"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://gitlab.com/uploads/-/system/project/avatar/19888023/rsz_1ntpseclogo.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-11T02:16:51.948Z","updated_at":"2020-07-25T14:17:39.750Z","dependencies_parsed_at":"2022-10-14T22:12:10.976Z","dependency_job_id":null,"html_url":"https://gitlab.com/rouing/docker-ntpsec","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/repositories/rouing%2Fdocker-ntpsec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/repositories/rouing%2Fdocker-ntpsec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/repositories/rouing%2Fdocker-ntpsec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/repositories/rouing%2Fdocker-ntpsec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/owners/rouing","download_url":"https://gitlab.com/rouing/docker-ntpsec/-/archive/master/docker-ntpsec-master.zip","host":{"name":"gitlab.com","url":"https://gitlab.com","kind":"gitlab","repositories_count":4518026,"owners_count":6814,"icon_url":"https://github.com/gitlab.png","version":null,"created_at":"2022-05-30T11:31:42.605Z","updated_at":"2024-07-18T11:24:13.055Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/gitlab.com/owners"}},"keywords":["NTP","container","containers","docker","ntpsec","nts","time","timeserver","tls"],"created_at":"2024-07-29T19:15:16.789Z","updated_at":"2025-03-11T08:32:14.432Z","avatar_url":"https://gitlab.com/uploads/-/system/project/avatar/19888023/rsz_1ntpseclogo.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# NTPsec\n\n[NTPsec](https://ntpsec.org/) is a NTPd Network Time Server with TLS 1.3 security added to it. This allows for secure syncing/peering between 2 time servers. \n\n## Quick Reference\n* __Main git repo__: https://gitlab.com/rouing/docker-ntpsec/\n* __Mirrored git repo__: https://github.com/rouing/docker-ntpsec/\n* __NTPsec issues__: https://gitlab.com/NTPsec/ntpsec/-/issues\n* __NTPsec Docker issues__: https://gitlab.com/rouing/docker-ntpsec/-/issues\n* __NTPsec Documentation__: https://docs.ntpsec.org/latest/NTS-QuickStart.html\n* __IETF NTS Draft__: https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-28\n\n## Public NTS capable time servers\n\n* [time.cloudflare.com:1234](https://www.cloudflare.com/time/)\n* [ntpsec.anastrophe.com](https://ntpsec.anastrophe.com/) [ntp.org listing](http://support.ntp.org/bin/view/Servers/PublicTimeServer001384)\n* [ntp.keff.org](http://ntp.keff.org/)\n* [pi4.rellim.com](https://pi4.rellim.com/)\n\n## Supported tags and respective `Dockerfile` links\n\n* [`latest`, `alpine`, `alpine-latest`, `alpine3`, `alpine3.12`, `alpine3.12.0`, `1.1.9-alpine`, `1.1.9-alpine3`, `1.1.9-alpine3.12`, `1.1.9-alpine3.12.0`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_alpine3.12) \n* [`alpine-edge`, `1.1.9-alpine-edge`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_alpine-edge)\n* [`centos`, `centos-latest`, `centos8`, `centos8.2`, `1.1.9-centos`,`1.1.9-centos8`, `1.1.9-centos8.2`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_centos8)\n* [`debian`, `debian-latest`, `debian-slim`, `debian10-slim`, `debian10.4-slim`, `1.1.9-debian`, `1.1.9-debian-slim`, `1.1.9-debian10-slim`, `1.1.9-debian10.4-slim`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_debian10-slim)\n* [`debian-buster`, `debian10`, `debian10.4`, `1.1.9-debian10`, `1.1.9-debian10.4`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_debian10)\n* [`debian-testing`, `1.1.9-debian-testing`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_debian-testing)\n* [`debian-testing-slim`, `1.1.9-debian-testing-slim`](https://gitlab.com/rouing/docker-ntpsec/-/blob/master/ntpsec_debian-testing-slim)\n\n## CLI start examples \n```bash\n# Run\ndocker run -it --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /var/lib/ntp:/var/lib/ntp  --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec\n\n# Run detached\ndocker run -d --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec\n\n# Run detached, use host network and limit logfile size\ndocker run -d --rm --name ntpsec --net=host -v /var/lib/ntp:/var/lib/ntp  --cap-add SYS_TIME --cap-add SYS_NICE --log-opt max-size=1m --log-opt max-file=3 ardoin/ntpsec\n\n# BYO (bring your own) config file\ndocker run -it --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /etc/ntp.conf:/etc/ntp.conf -v /var/lib/ntp:/var/lib/ntp --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec\n\n# Or your own arguments\ndocker run -it --rm --name ntpsec -p123:123/udp -p123:123/tcp -v /var/lib/ntp:/var/lib/ntp  --cap-add SYS_TIME --cap-add SYS_NICE --cap-add NET_RAW --cap-add NET_BIND_SERVICE ardoin/ntpsec --help\n```\n`--cap-add NET_RAW --cap-add NET_BIND_SERVICE` are needed due to a bug with user namespaces, docker, and the linux kernel for now. Fix is on the way!\n`-v /var/lib/ntp:/var/lib/ntp` mounts the folder that holds the drift file specific to that machine. Highly recommend you dont touch this.\n\n## Sample ntp.conf with NTS Examples\n\n```bash\ndriftfile /var/lib/ntp/ntp.drift # This should be bind mounted to your host as it is specific to the host its running on.\n\n# Analyitcs\n# statsdir /var/log/ntpstats/\n\n# Pure Logs \n#statistics loopstats peerstats clockstats \n#filegen loopstats file loopstats type day enable\n#filegen peerstats file peerstats type day enable\n#filegen clockstats file clockstats type day enable\n\n#logfile /var/log/ntpd.log \n#logconfig =syncall +clockall +peerall +sysall\n\n# The interface directive is great when your docker is in host net mode. (It works)\n#interface ignore all # Do no engage(ignore) all interfaces\n#interface listen eth1 # Listen to that one interface with the public IP. \n# The last one overwrites the first one\n\n#server clock.nyc.he.net iburst #CDMA, Stratum 1, iburst is a better disconnect netflow. \n#server time.cloudflare.com:1234 iburst nts #NTS Protocol Enabled, TLS1.3 Only by Default, Port 123 over TCP(!)\npool 0.pool.ntp.org iburst prefer # Prefer\npool 1.pool.ntp.org iburst\npool 2.pool.ntp.org iburst\n\n# Enable NTS\nnts enable (Mandatory for NTS)\n# SSL Cert that is your Key (Mandatory for NTS Server(?))\nnts key /etc/letsencrypt/live/can.be.yours/privkey.pem\n# Full Chain Cert (Mandatory for NTS Server(?))\nnts cert /etc/letsencrypt/live/can.be.yours/fullchain.pem\n# Where auth cookies are stored (Mandatory for NTS)\nnts cookie /var/lib/ntp/nts-keys\n\n# Default safe security settings\nrestrict default kod limited nomodify nopeer noquery\nrestrict 127.0.0.1\n\n# Remove all restrictions for things like some LAN machines. \n# Remote ntpq control\n#unrestrict another.host.local\n```\n\nReduce Conntrack Flooding\n```sh\n# disable conntrack on NTP port 123 (UDP for NTP, TCP for NTS)\n$ iptables -t raw -A PREROUTING -p udp -m udp --dport 123 -j NOTRACK\n$ iptables -t raw -A OUTPUT -p udp -m udp --sport 123 -j NOTRACK\n$ iptables -t raw -A PREROUTING -p tcp -m tcp --dport 123 -j NOTRACK\n$ iptables -t raw -A OUTPUT -p tcp -m tcp --sport 123 -j NOTRACK\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/gitlab.com%2Frouing%2Fdocker-ntpsec","html_url":"https://awesome.ecosyste.ms/projects/gitlab.com%2Frouing%2Fdocker-ntpsec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/gitlab.com%2Frouing%2Fdocker-ntpsec/lists"}